Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Known Behaviors and Issues

Known Behaviors

  • Previously, if you created a remote access VPN without specifying an install interval, the system incorrectly configured the install interval as 0 and added a matching command. This issue is fixed in latest Juniper Security Director Cloud release. After you upgrade to latest Juniper Security Director Cloud and deploy the previoulsy created remote access VPN, the system displays the delete security ipsec vpn <vpn-name> ike install-interval command that removes the unwanted configuration. You can set a new interval install value by editing the field. See Create a Remote Access VPN—Juniper Secure Connect for details.

  • The following SRX Series Firewall configurations configured in the earlier Junos Detailed Configuration tab are deprecated and no longer available in the Device Configurations tab of the Juniper® Networks SRX Series Firewalls device configurations page:

    • dynamic-profiles

    • logical-systems

    • tenants

    • multi-chassis

    • multicast-snooping-options

    • protocols/amt

    • protocols/vstp

    • security/remote-access/client-config

    • security/remote-access/default-profile

    • security/remote-access/profile

    • services/application-identification/application

    • services/application-identification/application-group

    • services/user-identification/identity-management

    • services/user-identification/active-directory-access

    • system/services/bbe-stats-service

    • unified-edge

  • When security policies, NAT rules, NAT pools, or IPsec tunnels are configured in the Juniper Security Director Cloud GUI or through the CLI, the changes don't appear in the Connected Security Distributed Services (CSDS) group until the next polling interval of the feature.

    When you configure new security policies, NAT rules, NAT pools, or IPSec tunnels on devices that are part of a CSDS group, Juniper Security Director Cloud might take some time to display the devices' statistics due to scheduled polling.

    To view the data configurations, edit the relevant CSDS group and save it without making any changes. This action will trigger polling for all devices in the group and update the data.

  • When you view the data on the Dashboard and Monitor > Maps & Charts > Insights pages, you might face the following behaviors:

    • Some categories may not appear in the Sunburst chart if there is a large value gap between categories—for example, one category is 6000 and another is 5. This is expected behavior.

    • On the Insights page, the Device Group filter only includes data from when a device was added to a group. To view the historical data of devices, select only the Device filter.

    • When you click on the Total Events number in the grid table of the Insights pages, you might notice a discrepancy between the total events displayed there and those shown on the All Security Events page. This difference arises because the All Security Events page presents live data, whereas the Insights pages display aggregated data at discrete intervals.

    • When viewing data in the charts for Infected Hosts and Top 5 URL Activity widgets that include timelines, the data may not be correctly sorted based on the selected timeline.

      Workaround:

      Click any event in the Infected Hosts or Top 5 URL Activity widgets. You will be redirected to the All Security Events page, where you can view the specific event time details.

    • When you view data of the third-party DAG feeds on the SecIntel Feeds page, the data might not be complete because the third-party DAG feed might not be enabled even though the toggle switch is enabled.

    • When you failover an SRX Series Firewall, the data on the Insights page displays data for current active devices only. To view the cluster logs, it is recommended to choose both the nodes of a cluster.

    • On the Insights page, the bubble chart does not appear for the Users, Events, Volume, or Sessions tabs when the selected metric has a value of zero. Since the bubble chart visualizes data based on non-zero values, no bubbles will be displayed.

    • When you click the number of Rules on the grid table of the Insights pages, a list of rules is displayed on a pane instead of the Security Policies page. This issue doesn't apply to the Insights Applications page.

  • For the SRX Series Firewalls that are automatically imported to Juniper Security Director Cloud, the default Content Security (formerly known as UTM) configuration on Juniper Security Director Cloud is preferred over the Content Security configuration imported from the devices.

    To prevent conflicts, perform the following steps:

    1. After automatic import of the devices, click SRX > Security Subscription > Content Security Settings.

    2. Review and modify the Content Security settings.

    3. Click SRX > Security Policy > SRX Policy.

    4. On the SRX Policy page, click Global Options > Default Security Settings.

    5. Review and modify the imported security configurations to the default Content Security profile configurations in Juniper Security Director Cloud.

    OR

    1. Click Administration.

    2. Click Settings and disable Auto Import after device discovery.

    3. Manually import devices to Juniper Security Director Cloud.

    4. For any conflicts, review and modify the imported security configurations to the default Content Security profile configurations in Juniper Security Director Cloud.

    Note:

    The Content Security settings are global settings and must be configured after importing the settings automatically or manually to avoid any conflicts.

  • We now support unified policies. We do not support legacy application security policies.

  • We now support a global address book. We do not support a zone address book.

  • When you import a policy that has rules with unsupported configuration, Juniper Security Director Cloud shows information about these rules under Summary on the import wizard. In an imported policy, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by the user. The Rule description also shows the reason for disabling these rules.

    You cannot delete, edit, or perform any rule actions on these unsupported rules.

  • Juniper Security Director Cloud overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.

    To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.

  • Even when a user has not configured certain cloud applications, the CASB Dashboard and CASB Application Visibility display the details.

  • CASB Application Visibility shows micro-applications without much detail.

  • When you export log data from Administration > Data Management page, the exported log data CSV file may fail to open on Windows if the file name (including folder path) is too long.

    This is a known limitation in Microsoft Excel and Windows regarding maximum file path length. The issue does not affect Mac systems.

    To avoid such error, move the CSV file to a folder with a shorter path before opening it.

Known Issues

Juniper Security Director Cloud

  • Deleting AWS or Azure DAG feeds from Juniper Advanced Threat Prevention Cloud (ATP Cloud) might result in stale shared-object entries remaining in Juniper Security Director Cloud.

    Workaround:

    Delete the AWS or Azure DAG feeds only through the Juniper Security Director Cloudfrom Shared Services > Advanced Threat Prevention > SecIntel Feeds > DAG Filters.

  • Third-party DAG feeds that are available in Juniper ATP Cloud do not automatically synchronize with Juniper Security Director Cloud.

    Workaround:

    Use one of the following options to reflect updates in the Juniper Security Director Cloud:

    • Disable and re-enable the amazonaws and microsoftazure buttons under Third-Party DAG Feeds from Shared Services > Advanced Threat Prevention > SecIntel Feeds > Feeds Configuration.

    • Navigate to Shared Services > Advanced Threat Prevention > SecIntel Feeds > DAG Filters, select any AWS or Azure DAG feeds, and edit it to reflect updates.

  • When you configure specific AWS or Azure DAG filters in Juniper Security Director Cloud the default shared objects (amazonaws for AWS and microsoftazure for Azure) still appear in the shared objects list under Shared Services > Objects > Addresses. However, these default objects cannot be used in the specific AWS or Azure DAG filters.

  • After upgrading, you may notice that when pivoting from the Threat Summary widget on the Dashboard page, the system displays only zone-based details. It does not display the selected risk level and service details.

    Workaround:

    To view the required data, go to the Insights page and use View Settings to manually select the required filters.

  • Users with custom roles and restricted access to features might encounter an error when navigating to the Insights pages.

  • Insights reports that are generated using the application and user data might contain inaccuracies, despite the availability of more current data within the organization.

  • When you configure Juniper® Networks SRX Series Firewalls in the Device Configurations tab, you might face the following issues:

    Setting Known Issue Workaround
    Basic Settings > Management > SNMP

    If you configure Remote Engine for SNMP, the configuration deployment fails because the Privacy configuration is deployed before the Authentication configuration.

    The following error message is displayed:

    deploy failed with error:[ErrorSeverity:error,ErrorPath:,ErrorMessage: Authentication should be configured before configuring the privacy ,BadElement:]

    Configure the Remote Engine user settings in the following sequence:

    1. Select the Authentication method while adding a Remote Engine user at SNMP > V3 > USM > Remote Engine > User.
    2. Deploy the device configuration.
    3. Select the Privacy setting.
    4. Deploy the device configuration again.
    Network Settings > Interfaces

    If you configure both the unit number and the VLAN ID as the outer tag for interfaces, the configuration deployment fails.

    The following error message is displayed:

    error: 'unit' statement cannot be included along with 'vlan-tags-outer' statement

    Do not configure both the options as the outer tag for interfaces. Select either Vlan_tag_mode or Unit as the outer tag.
    Network Settings > Interfaces

    If you configure Pic Set for interfaces, the configuration deployment fails.

    The following error message is displayed:Segmentation fault (core dumped)

    		 Configure Pic Set only for interfaces of the SRX5400, SRX5600, and SRX5800 SRX Firewalls.
    Security Settings > User Firewall > Device Information

    The existing configuration of onboarded SRX Series Firewalls is not displayed on the User Firewall page because of a mismatch of the Authentication Source field name between the Juniper Security Director Cloud GUI and the device CLI.

    		 None
    Advanced Settings > Security > GTP > Message IE Profile V2

    If you don't configure all the mandatory settings for Message IE Profile V2, the configuration is not deployed on the devices even though the Juniper Security Director Cloud GUI displays a success message.

    Configure all the mandatory settings for Message IE Profile V2.

    See message-ie-profile-v2 for the mandatory settings.
    Advanced Settings > Security > Grouped IE Profile

    If you don't configure all the mandatory settings while adding a Grouped IE Profile, the configuration is not deployed on the devices even though the Juniper Security Director Cloud GUI displays a success message.

    Configure all the mandatory settings for Grouped IE Profile.

    See grouped-ie-profile for the mandatory settings.
    Advanced Settings > Protocols > IS-IS Instance

    If you don't configure all the mandatory settings while adding an IS-IS Instance, the configuration is not deployed on the devices even though the Juniper Security Director Cloud GUI displays a success message.

    Configure all the mandatory settings for IS-IS Instance.

    See level (IS-IS Interfaces) for the mandatory settings.
    Network Settings > Forwarding Options > Load Balance > Indexed Load Balance

    If you enable Indexed Load Balance while configuring Load Balance, the configurations are not deployed on the devices even though the Juniper Security Director Cloud GUI displays a success message.

    The following error message is displayed if you deploy the configuration using CLI:

    Could not retrieve the two-level-multi-next-hop setting

    Don't enable Indexed Load Balance. The option is not applicable to SRX Series Firewalls.
    Advanced Settings > Chassis > Network Services

    If you configure ethernet for Network Services, the configuration deployment fails because the option is not applicable to SRX Series Firewalls.

    Don’t configure ethernet for Network Services in SRX Series Firewalls. The option is not applicable to SRX Series Firewalls.
    Advanced Settings > Chassis

    If you configure Ambient Temperature, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls.

    The following error message is displayed:

    :[ErrorSeverity:error,ErrorPath:,ErrorMessage:Invalid trailing data 'C' for numeric value: '40C',BadElement:40C]

    Configure Ambient Temperature only on the supported SRX Series Firewalls.

    See Feature Explorer for the supported models.
    Advanced Settings > Protocols > PPP

    If you configure PPP services for Protocols, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls.

    Configure PPP services for Protocols using CLI only on SRX4000 and SRX1600 Series Firewalls.

    See Point-to-Point protocol (PPP) for how to configure PPP using CLI.
    Advanced Settings > Protocols > R2CP

    If you configure Port any for Client Port Value while configuring the R2CP protocols in the device CLI, the setting changes to Not configured on the Juniper Security Director Cloud GUI after deploying the device configuration.

    		 Configure a specific port for Client Port Value on the Juniper Security Director Cloud GUI.
    Device Configurations

    If you configure an onboarded device, the configuration deployment shows as out-of-band changes.

    		 Wait 5 to 10 minutes for the device onboarding process to complete before updating and deploying the device configuration.
    Device Configurations

    If you configure certain device settings, the configuration deployment fails because the settings might be applicable only to specific SRX Series Firewalls. For example,

    • Advanced Settings -> Services -> Hosted-services
    • Advanced Settings->Services > Mobile Flow Tap
    • Advanced Settings->Services > Network Slicing

    Configure the settings applicable to the SRX Series Firewalls.

    See Feature Explorer for the supported models.
    Device Configurations

    If you deactivate device settings in the SRX Series Firewalls using CLI, the device configuration deployment might fail when you configure settings on the Device Configurations tab of the Juniper Security Director Cloud GUI.

    Activate and commit the settings or delete the settings using CLI before configuring the settings using the Juniper Security Director Cloud GUI.

  • When you create an Internet Content Adaptation Protocol (ICAP) profile server with a routing instance, the deployment fails.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • When you import an ICAP profile server with a routing instance, the routing instance is removed from the profile server during the deployment.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • The OOB connection between the SRX Series Firewall and Juniper Security Director Cloud doesn't close in the SRX Series Firewall. This happens because the device status in Juniper Security Director Cloud is changed to DOWN after the connection is closed, but the connection in the SRX Series Firewall remains active.

    Workaround: Restart the outbound SSH service in the SRX Series Firewall. This will resynchronize the SRX Series Firewall device with Juniper Security Director Cloud and change the status of the device to UP.

    1. Log in to the SRX Series Firewall using CLI.

    2. Run the following command to check the status of the flow session: show security flow session destination-port 7804

    3. If the flow session is active, but Juniper Security Director Cloud displays DOWN or OUT OF SYNC as the device status, run the following command to restart the SRX Series Firewall outbound SSH service: restart service-deployment.

  • Image installation fails for the images available on Juniper Security Director Cloud.

    Workaround:

    • You can add the images from the SRX > Device Management > Software Images page, and deploy the images for the device.

    • Try a manual CLI command execution on the device.

  • The security policy import and deploy might fail if any hidden commands are available in SRX Series Firewall due to old version incompatibility, for example, content security configuration, and security policy.

    Workaround:

    Delete any hidden or undocumented commands from SRX Series Firewalls, import the policy configuration again to Juniper Security Director Cloud, and then deploy the security policy.

  • With SMB protocol option in pre-defined AAMW profile, commit is failing for devices with version prior to Junos OS release 21.1.

    Workaround:

    Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options.

  • While upgrading a device (through software image) to Junos OS 21.1 and above, an error ISSU is not supported for Clock Synchronization (SyncE) is shown.

    Workaround:

    Upgrade the cluster from CLI with the workaround provided in https://prsearch.juniper.net/problemreport/PR1632810.

  • After the security log configuration is pushed to device, the session on port 6514 does not get established immediately. The security and session log takes more than 10 minutes to appear in the Juniper Security Director Cloud UI. This behavior can be sporadically seen after onboarding the device or after consecutive re-negotiation of TLS connection from the device.

    Workaround:

    Use the following steps to change the security log stream to the host IP address to receive the security logs.

    1. View the DNS hostname information:

      • For Home PoP Virginia, view the DNS hostname using the show host srx.sdcloud.juniperclouds.net command.

        Example output: srx.sdcloud.juniperclouds.net has address 10.1.23.1

      • For Home PoP Ohio, view the DNS hostname using the show host srx.jsec2-ohio.juniperclouds.net command.

        Example output: srx.jsec2-ohio.juniperclouds.net has address 192.168.1.1

    2. Update the security log stream sd-cloud-logs to the IP address of respective Home PoP.

      For example, if a device is onboarded in a organization with Home PoP as Virginia, then use the set security log stream sd-cloud-logs host 10.1.23.1 command.

  • For existing devices in Juniper Security Director Cloud with Home PoP as Virginia, the security logs are not seen in the UI. This behavior is observed if the domain name is used in the security log configuration to reach Juniper Security Director Cloud.

    Workaround

    • Disable and enable the security log configuration from the UI using the following steps:

      1. Go to SRX > Device Management > Devices and click on Security Logs Configuration.

      2. From the Group by field, select All.

      3. Select the device and make a note of Source Interface value.

      4. Click the edit icon, disable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.

      5. Click OK. A deploy job is triggered to disable the security log configuration.

      6. Go to SRX > Device Management >Devices and click on Security Logs Configuration.

      7. From the Group by field, select All.

      8. Select the device, click the edit icon and select the interface value that was noted in Step 3.

      9. Enable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.

      10. Click OK. A deploy job is triggered to enable the security log configuration.

      The device renegotiates the security log connection using the above steps. You should be able to view the security log in the UI.

    • If you are unable to view the security logs using the above steps, then use the following steps to change security log configuration to point to IP address:

      1. View the DNS hostname for Home PoP Virginia using the show host srx.sdcloud.juniperclouds.net command.

        Example output: srx.sdcloud.juniperclouds.net has address 10.1.23.1

      2. Update the security log stream sd-cloud-logs to the IP address of respective Home region using the set security log stream sd-cloud-logs host 10.1.23.1 command.

  • Juniper Security Director Cloud is unable to show the following logs for SRX Series Firewall with Junos OS version 21.4 R3-S3.4 and later versions.

    • Web filtering logs

    • RT_FLOW logs

    • Content security logs

  • While reimporting NAT pool with pre-configured address object and deploying it using NAT rule, object conflict resolution (OCR) is detected for address name field.

  • If peer synchronization is enabled for Multinode High Availability solution, then any deployment or configuration change will result in multiple synchronization jobs.

    Workaround

    Delete the set system commit peers-synchronize command from device configuration for Multinode High Availability solution.

Secure Edge

  • We do not support the use of third-party authenticators for access to certain SaaS applications. For example, the Box application allows you to log in using your Google credentials, but Juniper Secure Edge recognizes the activity as a Google login rather than a Box login.

    Workaround: Use the SaaS application's built-in authentication system.

  • Box upload activity is not detected in roaming traffic.

  • If you use the CASB-supported Microsoft Teams application, you must edit the decrypt profile to identify the activities. By default, the decrypt profile (exempt list) includes the following Microsoft URLs:

    • *.delivery.mp.microsoft.com
    • *.teams.microsoft.com
    • *.update.microsoft.com
    • *.vortex-win.data.microsoft.com
    • activation.sls.microsoft.com
    • update.microsoft.com
    • windowsupdate.microsoft.com
    • *.windowsupdate.microsoft.com

    You must remove *.teams.microsoft.com from the exempt list to identify Microsoft Teams activities.

  • If a non-administrator user launches the Juniper® Identity Management Service (JIMS) Collector GUI, the status of the Enforcement Points is not updated. The status always shows Inactive in the Monitor > Enforcement Points page in the JIMS Collector UI.

  • When authenticated by Hosted DB, end users with disabled accounts are not notified that their account has been disabled. The end-user account was either disabled by the administrator or automatically disabled after five consecutive failed authentication attempts.

    Workaround: End users can contact their administrator to unlock their account.

  • When you create an IPsec tunnel from a site to Secure Edge, the tunnel configuration status on the UI displays a “tunnel_status_undefined” message instead of an “in progress” message.

    Workaround: The status updates when the tunnel creation process is complete – typically in about <10> minutes.

  • The LDAP configuration may display a blank error screen when incorrect information is entered.

    Workaround: The administrator will need to reenter the correct LDAP values.

  • A few CASB applications and activities are not identified by the browser.

    Workaround: Disable the HTTP over QUIC in your browser settings to use the SSL proxy.

    • Steps to disable HTTP over QUIC in Firefox:

      1. In the address bar, enter about:config.

      2. In the Search preference name box, enter network.http.http3.enable and change the toggle to False.

      3. Repeat the above step for network.http.http3.enable and change the toggle to False.

      4. Clear the browser cookies and restart the browser.

    • Steps to disable HTTP over QUIC in Chrome:

      1. In the address bar, enter chrome://flags/.

      2. In the Search flags box, enter Experimental QUIC protocol and select Disabled from the drop-down menu.

      3. Clear the browser cookies and restart the browser.